The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 – maximum severity is 10.

As a workaround, ZDI recommends that users set the kill bit in the registry to prevent Internet Explorer from instantiating the affected ActiveX control. To do so, the “Compatibility Flags” DWORD entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7 must be set to “0x00000400”.

It is unusual that a security vendor and service provider would make itself vulnerable in such a way. McAfee has not yet responded to an inquiry on this matter from heise Security, the H’s German associates.

Update: McAfee has now released a statement saying that it was aware of the issue and that it had “examined the effect of the reported issue and feel that the risk is very low”. The company has not fixed the problem yet though but says “as this is a hosted solution, patches will be automatic and all affected customers will be brought to the fixed version as quickly as possible”. McAfee says it does not believe there is any risk from the vulnerability “due to the mitigations in place”.